Spring Oauth with multiple users tables

Question

I am creating an application using Spring with Oauth2 as a backend for two apps (provider app and a consumer app). I have two different types of users; Providers, and consumers, each with its own db table. The problem I am facing is that I cannot find a way to know if the request is coming from a provider or a customer, as each one will be in a different db table.

The username is Not unique between the two tables. So, a provider and a consumer can have the same username (and password). I think any of the following solutions will suffice, however, I can’t find any way to implement any of them.

• Having two different endpoints for each user class. e.g. “/provider/oauth/token” and “/consumer/oauth/token”. Each with its custom authentication manager.
• Or: Having two authorization servers in the same Spring application, and then mapping their “/oauth/token” to different endpoints.
• Or: Sending custom data in the oauth request to know where the request is coming from, and then dynamically selecting an authentication manager.
• Or: Associating different authentication manager to different OAuth clients, and then ensuring that each app will have its respective client ID.

If any of these solutions is possible, or if there is another way to accomplish this, please let me know. Any help is appreciated.

Edit - Solution

Following the answer below, I added another client with a different client ID, check the id in the UserDetailsService and then decide which db to use. Here is the code:

  public UserDetails loadUserByUsername(String email) throws UsernameNotFoundException {
            UsernamePasswordAuthenticationToken authentication = (UsernamePasswordAuthenticationToken) SecurityContextHolder.getContext().getAuthentication();
            User user = (User) authentication.getPrincipal();
            String username = user.getUsername();
            if (username.equals(OAuth2Configuration.provider_app))
                   // Load from provider db
            else if (username.equals(OAuth2Configuration.consumer_app))
                  // Load from consumer db
            else
                throw new UsernameNotFoundException("ClientID " + username + " not found.");
        }
    };
}

UsernamePasswordAuthenticationToken is used as /oauth/token is protected with Basic Oauth using the client id and secret.

Answer 1

I think you should be able to look inside SecurityContextHolder.getContext().getAuthentication. This should be an instance of OAuth2Authentication, from which you can (after you cast) call getOAuth2Request() to get the original Oauth2Request details.

With this information you can have a single UserDetailsService that can delegate lookups to the correct db tables. You could use scopes or resourceIds to help determine what db table to use.